For a long time, cloud has been framed as a way to gain speed, flexibility and cost efficiency. That perspective is no longer sufficient.
According to NTT DATA’s latest global research among more than 2,300 senior decision-makers, 99 percent of organizations say that AI is increasing their need for cloud investment, yet 88 percent acknowledge that their current investment levels put their cloud, AI and modernization ambitions at risk.
As cloud becomes the execution layer for AI, this gap is no longer just a question of investment. It is a question of control.
Because as digital value accelerates, digital risk is accelerating even faster.
Cloud has become the environment where business actually runs. It is where data moves, where decisions are executed and where AI systems operate and scale.
This changes the nature of the conversation at executive level.
The question is no longer how fast an organization can scale. The real question is how well it can maintain control, build trust and ensure resilience in an environment that is becoming increasingly autonomous.
Digital value is accelerating, but so is risk
There is no doubt that AI is accelerating value creation. Organizations are building systems that learn continuously, interact across ecosystems and take decisions in real time.
At the same time, risk is growing at an even faster pace.
In distributed cloud environments, the assumptions that shaped traditional security no longer apply. The network perimeter has effectively disappeared. Control no longer sits in infrastructure, but in identities. And increasingly, those identities are not human.
Machine identities, applications and AI agents now interact constantly, often without direct human oversight. That creates a level of scale and complexity that static security models were never designed to handle.
In this context, fragmented governance and isolated controls do not just create gaps. They create structural exposure.
Identity has become the control plane
In modern cloud environments, every interaction is based on identity.
Applications authenticate to other applications. AI agents trigger actions. Systems exchange data continuously. What used to be protected by network boundaries is now governed by identity and access.
This shift is not always fully reflected in how organizations manage security.
While confidence in cloud security remains relatively high among leading organizations, governance maturity and consistent control mechanisms are far less developed across the broader market.
The consequence is straightforward.
If identity is not properly governed, control becomes fragmented. And when control is fragmented, risk becomes systemic.
Sovereignty is about control, not location
Cloud sovereignty has become a central topic in many boardrooms. Often, the discussion focuses on where data is stored.
That is only part of the picture.
Sovereignty is ultimately about control. Who controls access. Who manages encryption. Who defines and enforces policies. How workloads operate and how data flows across environments.
Without that level of control, data localization alone does not provide real assurance.
Organizations are increasingly recognizing that sovereignty depends on architecture, governance and security, not just geography.
In practice, sovereignty is not something that can be declared. It has to be continuously enforced.
Security as a strategic capability
This leads to a broader shift in how security needs to be positioned.
Security can no longer be treated as a technical layer that protects systems after the fact. In cloud-based, AI-driven environments, it plays a much more central role.
It determines how resilient operations are. It shapes how safely innovation can scale. And it directly influences how risk is managed across the enterprise.
It is therefore not surprising that security has become the top investment priority in cloud.
At executive level, the implication is clear. Security is not only about protection. It is about enabling the business to move forward with confidence.
From static controls to adaptive security
Operating in this new environment requires a different approach.
Security needs to be embedded into how the cloud environment is designed and operated. That means moving towards models where control is continuous rather than periodic.
Identity becomes the primary mechanism to enforce access. Policies need to be applied consistently across environments. And controls must adapt in real time as conditions change.
This is where concepts such as zero trust and policy-driven governance become practical necessities rather than theoretical frameworks.
Equally important, governance can no longer rely on manual processes. In distributed environments, control needs to be automated and integrated into platforms and architectures from the start.
The real differentiator: security maturity
As organizations move further into AI driven and increasingly autonomous ecosystems, one factor becomes decisive.
Security maturity.
It determines whether cloud strengthens resilience or increases exposure. It defines whether organizations can scale innovation safely or struggle to maintain control.
Organizations that treat security as an integral part of their cloud strategy are better positioned to manage complexity, protect value and build trust.
Those that do not will find that risk grows faster than their ability to control it.
A shift for the executive agenda
Cloud is no longer just a technology topic. It is a question of how the business operates, how decisions are made and how risk is managed.
That is why the discussion belongs at executive level.
The focus needs to move beyond scale as a success metric towards control, trust and resilience as indicators of maturity.
Because in an environment where systems act autonomously and interactions happen at scale, control is what ultimately determines performance.
And security is what makes that control possible.
Conclusion: control will define the winners
The shift to AI driven, autonomous cloud environments is no longer ahead of us. It is already underway.
What distinguishes organizations today is not how far they have progressed in cloud adoption, but how well they are able to control it.
Control over identities. Control over access. Control over data, workloads and policies across increasingly complex environments.
This is what ultimately determines whether cloud becomes a foundation for resilience or a source of systemic risk.
For the C-suite, the implication is clear.
Cloud strategy is no longer about technology choices or infrastructure optimization. It is about establishing the conditions under which the business can operate securely, adapt continuously and create value with confidence.
In that context, security is not a constraint. It is what makes scale sustainable.
And in an environment where systems act autonomously and decisions are executed at speed, organizations that get this right will not only reduce risk.
They will move faster, with greater confidence, than those that do not.